Controls Are for Auditors

Controls Are for Auditors

An Information Management Approach

By: Chad Boeckmann, CISSP, CISA (CEO, Secure Digital Solutions)

Consider this approach to information security: Controls are for auditors; processes are for managers. As someone who has for nearly two decades provided guidance to help companies improve their information security, I’ve concluded the typical industry approach to information security (focusing on controls) is too narrow.

Often, tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows:

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance that the organization will achieve its objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First there are many controls that can be harmonized into processes. You might be thinking, “There are too many processes to manage effectively. Controls are easier.” I would challenge any security program, in most use cases, to identify more than 40 processes that need to be managed to align with regulatory and internal or external policy objectives for information security. Yes, this includes regulations such as GDPR, HIPAA, PCI DSS, FFIEC and frameworks like ISO27001/2 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. To use a golf analogy, if we raise our eyes from the rough outlining the fairway, we can see the ball and pin clearly. Taking an industry recognized IT Management and Governance framework like COBIT and marrying it with a set of consolidated processes, your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organization’s objectives (the pin) with metrics related to the process (the fairway) to get the ball to the pin.

This is why we’ve automated this process with TrustMAPP. This is part 1 of a 2-part blog post. In the next entry I’ll discuss how to go about measuring process level performance to align with frameworks and regulations in a simplified but meaningful way.